Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής &...

39
Εκπαιδευτικό πρόγραμμα Ψηφιακό μάρκετινγκ & κοινωνικά δίκτυα Θέματα ασφάλειας της πληροφορίας ________________________________ Γιώργος Πατσής - CEO Αλέξης Δημητριάδης – IS Penetration Tester Obrela Security Industries

Transcript of Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής &...

Page 1: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Εκπαιδευτικό πρόγραμμα

Ψηφιακό μάρκετινγκ & κοινωνικά δίκτυα

Θέματα ασφάλειας της πληροφορίας________________________________

Γιώργος Πατσής - CEO

Αλέξης Δημητριάδης – IS Penetration Tester

Obrela Security Industries

Page 2: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

The Economics of Information Security

Page 3: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Information SecurityWhat, Why and How

Page 4: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

What?

Be in a secure state – free from dangers

Protection of Information Assets against adversaries, intentionalor otherwise

Integrity, Availability, Confidentiality

Page 5: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Information Assets

Hardware and Software

Systems, Networks

Applications

Data Centers

People

Information Containers

Page 6: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Environment The velocity of change in Information Technology. Evolution Introduces

Complexity. Cloud, mobility, new payment and commerce models increasesecurity threats.

New World Order and Globalization provides a broader attack surface. 2.8 billionpeople and over 10 billion Internet-enabled devices access the Internet. Thegrowing adoption of the Internet provides increasing opportunities to commitcrime facilitated, enabled or amplified by the Internet.

Increased Cybercrime sophistication and commercialization. A service-basedcriminal business model drives innovation and provides access to a wide rangeof services facilitating cybercrime. The criminal industry costs global economiesan estimated USD 300+ billion per year.

Inadequate legislation. In many jurisdictions outside the EU there are,however, no adequate legal frameworks in place for judicial cooperation.Even within the EU the differences in legislation and legal instruments todetect, attribute and exchange information in relation to cybercrimes causesignificant impediments.

Page 7: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Threats

Hackers

Hacktivism

Industrial Espionage

Competitive Intelligence

Disgruntled Employees

Acts of God

Human Error

Page 8: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Crime Areas

CRIME AS A SERVICE

Infrastructure-as-a-Service

Data-as-a-Service Pay-per-install Services Hacking-as-a-Service Translation Services Money-Laundering-as-a-

Service

MALWARE

Trojans

Criminal Botnets

Page 9: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Crime Areas

CREDIT CARD FRAUD

Skimming

POS Fraud

ATM Fraud

CNP Fraud

ONLINE FRAUD

Bank Transfers withfake IDs

Paypal

Virtual Currencies

On-Line Gambling

Money Mules

Page 10: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Crime Areas

SOCIAL ENGINEERING

SPAM (80B Messages)

Phishing

DATA BREACHES Web Application Attacks Cyber Espionage Crimeware (malware/trojans) Physical Loss/Theft Card Skimmers DOS Attacks APTs (average time attacker

remained on a compromisednetwork – 229 days)

Page 11: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Crime Areas

CRITICAL INFRASTRUCTURE

Cross SectorDependencies

Cascade Effects

Page 12: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Why

Information is the most valuable asset

A fundamental quality vector

The market asks for it (consumer, corporate, government)

Liability – Obligation under law (not a nice to have)

Money…

Page 13: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

How

Information Security is not about Technology

Everyone is involved and responsible

A key management issue

Risk Management applies

Page 14: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

How

Key Elements

Process

Pie Chart ColumnChart

Technology

People

Page 15: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

How

People

AwarenessTrainingCulture

Page 16: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

How: Process

Governance

Preventive MaintenanceOperational SecurityPolicy and StandardsBusiness Continuity

Risk Management

AssessMitigateAcceptTransfer

Page 17: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

How

Technology

Data Security (Encryption, DLP, Availability)Network Security (Firewalls, IDS, IPS)Systems Security (Antimalware)Application Security (WAF)End User Security (Access Control, Authentication)

Requires know-how and resourcesMust be constantly maintained and monitored

Page 18: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Risk ManagementIdentify, Evaluate and Manage the Risks

Page 19: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Identify

Business

Marketing

Technology

Financial

Legal

Page 20: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Assess

Likelihood x Impact

Qualitative vs. Quantitative

Listen to the experts

Know your business

Do it regularly

Page 21: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Mitigate

Preventive Controls

Define PolicyBuild Security ControlsAssess EffectivenessContinuously Improve

Reactive Controls

MonitorReact

Page 22: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Manage

Not all risks require mitigation/remediation

Information security must be strategic

Information security strategy must be aligned with Business

Risk is unique to your business and environment there is noone-size-fits all solution

Risks changes as your business environment changes

You are in trouble if you ignore risks or assuming they don’texist

Take informed decisions

Page 23: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

For the Chief xxx OfficersNeed to know(s)

Page 24: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Due Care

Provides a framework that helps to define a minimum standardof protection that business stakeholders must attempt toachieve

Often reference Prudent Man Rule and require that theorganization engage in business practices that a prudent, rightthinking, person would consider to be appropriate.

Business that are found to have not applied this minimum dutyof care can be deemed as having been negligent in carrying outtheir duties

Page 25: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Due Diligence

Requires that an organization continually scrutinize their ownpractices to ensure that they are always meeting or exceedingthe requirements for protection of assets and stakeholders

Due diligence is the management of due care: it follows aformal process

Persons are said to have exercised due diligence, andtherefore cannot be considered negligent, if they were prudentin their investigation of potential risk and threats

Page 26: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

The Market

Professional Services

Technology Vendors

Security Service Providers

Technology Integrators

Page 27: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Buy Vs. Build

Outsource▪ Low Initial Investment and

No Assets (zero CAPEX)▪ Specialized and subject

matter expert partner withINFOSEC as core business

▪ Strong SLA with Liabilities& Warranties

▪ Low OPEX▪ Flexibility

Insource▪ Keep Control▪ Requires Initial Investment▪ Acquire Know How▪ High Turnover▪ High OPEX▪ Lack of Focus▪ Dependency on Vendors

Page 28: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Compliance and Legislation

Industries and Sectors

TelecommunicationsHealthBanking and FinanceElectronic CrimeInsuranceGovernment

Regulations

Sarbanes-Oxley Act (SOX)HIPAAFISMAData Protection ActBasel IIPCI DSS - Payment CardIndustry Data SecurityStandard

Page 29: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Standards

ISO 27002:2005 (BSI)COBITITILPCI-DSSNISTENISA

Page 30: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Your Security Officer

Must have experience in Information Security Management

Must have excellent communication and project managementskills

Must have a crystal clear background check

Must have verifiable references

Remember he will hold the keys…

Page 31: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

When things go wrong

Call the experts as soon as possible

Size the exposure and liability

Understand the consequences before you decide actions

Engage the business stakeholders

If you decide to go public you need to decide thecommunication strategy

Inform the authorities

Page 32: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

For the End UsersTips & Tricks, from a ‘white-hacking’ perspective

Page 33: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Security awareness & culture

Alertness, observation and attentiveness are essential skillsthat play a key role in ‘anomaly detection’

• Such anomalies can occur as: a fake web site (phishing attacks), amalicious email (client-side approaches), a corrupted computer(malwares), etc.

Reporting and escalating such anomalies is a determinativereaction

• It’s always better to report a ‘false positive’ incident than suppress a ‘falsenegative’ one.

Page 34: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Raising the bar - The Human factor

Respecting the company’s Security Policy

• The human factor influence noticeably the Security Level that is put inplace by the automated mechanisms, controls and procedures.

• Users’ feedback is crucial for further improvements on new or existingblocking points

Social engineering attacks - Be prepared !

• Most attacks -and APTs- are nowadays mostly performed through ‘client-side approaches’ (emails, calls, physical presence, etc.)

Page 35: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Raising the bar - Marketing tools

Marketing tools (web site, social media, etc.) represent a publicand exposed entity that directly affects the company’s image;their administration requires extra ‘attention’

• System sphere: work vs personal computer, laptops vs smartphones,external sources

• Network sphere: untrusted networks (LANs, WIFIs)

• Password management & policy: complexity, history, pattern, modificationperiod, etc.

Page 36: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Raising the bar - Continuous training

The Information Technology field is constantly and rapidlyinvolving

Being up-to-date on the respective Security Aspects is a keyelement for people that manage important and exposedInformation Assets

• This process can be fulfilled through different means such aspresentations, seminars, conferences, certifications and so on

Page 37: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Global ViewIntelligence

AlertingandNotification

Global Investigations

Data Centers

Call Centers

Global Perspective

Page 38: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Thank you for your attention

Alexis DimitriadisIS Penetration Tester - Security LabsObrela Security Industries

Phone: 210 9573750 (ext. 20)E-mail: [email protected] site: www.obrela.com

George PatsisCEOObrela Security Industries

Phone: 6944671244E-mail: [email protected] site: www.obrela.com

Page 39: Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής & Αλέξης Δημητριάδης | Obrela Security Industries

Εκπαιδευτικό πρόγραμμα

Ψηφιακό μάρκετινγκ & κοινωνικά δίκτυα

digima.grwww.kek.aueb.gr

Follow DigiMa on

Facebook | Instagram | Slideshare | Google+ | LinkedIn